Bump the backend group across 1 directory with 11 updates

[dependabot]

Bumps the backend group with 9 updates in the / directory:

Package	From	To
github.com/aquasecurity/trivy	0.59.1	0.60.0
github.com/go-git/go-git/v5	5.13.2	5.14.0
github.com/open-policy-agent/opa	1.1.0	1.2.0
github.com/opencontainers/image-spec	1.1.0	1.1.1
github.com/operator-framework/api	0.29.0	0.30.0
github.com/prometheus/client_golang	1.21.0	1.21.1
github.com/tektoncd/pipeline	0.68.0	0.69.0
golang.org/x/text	0.22.0	0.23.0
google.golang.org/api	0.222.0	0.224.0

Updates github.com/aquasecurity/trivy from 0.59.1 to 0.60.0

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.60.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#8495

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0600-2025-03-05

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.60.0 (2025-03-05)

Features

• add --vuln-severity-source flag (#8269) (d464807)
• add report summary table (#8177) (dd54f80)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#8254) (4820eb7)
• go: fix parsing main module version for go >= 1.24 (#8433) (e58dcfc)
• misconf: render causes for Terraform (#8360) (a99498c)

Bug Fixes

• db: fix case when 2 trivy-db were copied at the same time (#8452) (bb3cca6)
• don't use scope for trivy registry login command (#8393) (8715e5d)
• go: merge nested flags into string for ldflags for Go binaries (#8368) (b675b06)
• image: disable AVD-DS-0007 for history scanning (#8366) (a3cd693)
• k8s: add missed option PkgRelationships (#8442) (f987e41)
• misconf: do not log scanners when misconfig scanning is disabled (#8345) (5695eb2)
• misconf: ecs include enhanced for container insights (#8326) (39789ff)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#8073) (a994453)
• os: add mapping OS aliases (#8466) (6b4cebe)
• python: add poetry v2 support (#8323) (10cd98c)
• report: remove html escaping for shortDescription and fullDescription fields for sarif reports (#8344) (3eb0b03)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#8346) (ecc01bb)
• sbom: improve logic for binding direct dependency to parent component (#8489) (85cca8c)
• sbom: preserve OS packages from multiple SBOMs (#8325) (bd5baaf)
• server: secrets inspectation for the config analyzer in client server mode (#8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats (#8380) (72ea4b0)
• terraform: apply parser options to submodule parsing (#8377) (398620b)
• update all documentation links (#8045) (49456ba)

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)

... (truncated)

Commits

• a4009f6 release: v0.60.0 [main] (#8327)
• 85cca8c fix(sbom): improve logic for binding direct dependency to parent component (#...
• 9892d04 chore(deps): remove missed replace of trivy-db (#8492)
• 8a89b2b chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 d...
• 57b08d6 chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
• 453c66d docs: add abbreviation list (#8453)
• f670602 chore(terraform): assign *terraform.Module 'parent' field (#8444)
• dd54f80 feat: add report summary table (#8177)
• ab1cf03 chore(deps): bump the github-actions group with 3 updates (#8473)
• 1f85b27 refactor(vex): improve SBOM reference handling with project standards (#8457)
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.13.2 to 5.14.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.14.0

What's Changed

• v5: Bump Go and dependencies to mitigate GO-2025-3487 by @​pjbgf in go-git/go-git#1436

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/[email protected] which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

Commits

• 863c621 Merge pull request #1436 from pjbgf/v5-bumps
• 2e69e81 build: Bump dependencies
• b2c1ec9 build: Bump Go versions
• See full diff in compare view

Updates github.com/open-policy-agent/opa from 1.1.0 to 1.2.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.2.0

This release contains a mix of features, performance improvements, and bugfixes.

Parameterized Rego Tests (#2176)

Rego tests now support parameterization, allowing a single test rule to include multiple, hierarchical, named test cases. This feature is useful for data-driven testing, where a single test rule can be used for multiple test cases with different inputs and expected outputs.

package example_test
test_concat[note] if {
some note, tc in {
"empty + empty": {
"a": [],
"b": [],
"exp": [],
},
"empty + filled": {
"a": [],
"b": [1, 2],
"exp": [1, 2],
},
"filled + filled": {
"a": [1, 2],
"b": [3, 4],
"exp": [1, 2, 3], # Faulty expectation, this test case will fail
},
}
act := array.concat(tc.a, tc.b)
act == tc.exp

}

$ opa test example_test.rego
example_test.rego:
data.example_test.test_concat: FAIL (263.375µs)
  empty + empty: PASS
  empty + filled: PASS
  filled + filled: FAIL
--------------------------------------------------------------------------------
FAIL: 1/1

See the documentation for more information.

Authored by @​johanfylling, reported by @​anderseknert

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.2.0

This release contains a mix of features, performance improvements, and bugfixes.

Parameterized Rego Tests (#2176)

Rego tests now support parameterization, allowing a single test rule to include multiple, hierarchical, named test cases. This feature is useful for data-driven testing, where a single test rule can be used for multiple test cases with different inputs and expected outputs.

package example_test
test_concat[note] if {
some note, tc in {
"empty + empty": {
"a": [],
"b": [],
"exp": [],
},
"empty + filled": {
"a": [],
"b": [1, 2],
"exp": [1, 2],
},
"filled + filled": {
"a": [1, 2],
"b": [3, 4],
"exp": [1, 2, 3], # Faulty expectation, this test case will fail
},
}
act := array.concat(tc.a, tc.b)
act == tc.exp

}

$ opa test example_test.rego
example_test.rego:
data.example_test.test_concat: FAIL (263.375µs)
  empty + empty: PASS
  empty + filled: PASS
  filled + filled: FAIL
--------------------------------------------------------------------------------
FAIL: 1/1

See the documentation for more information.

Authored by @​johanfylling, reported by @​anderseknert

... (truncated)

Commits

• d537788 Release v1.2.0 (#7403)
• d6b8e6d perf: various small improvements (#7357)
• e46696e ci: Using fetch-depth when fetching tags (#7400)
• 85eaacd docs: Add note about v1.0 addr behaviour (#7398)
• 83c8e0e ci: Adding fetch-tags under with in GHA (#7397)
• 10d1a54 Explicitly fetching fetching git tags for CI builds (#7395)
• 6088316 build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26 (#7392)
• 3ab892f docs: Update homepage examples to drop v1 import (#7391)
• bad1b1a build(deps): bump github.com/prometheus/client_golang (#7375)
• e75f583 build(deps): bump actions/download-artifact from 4.1.8 to 4.1.9 (#7389)
• Additional commits viewable in compare view

Updates github.com/opencontainers/image-spec from 1.1.0 to 1.1.1

Release notes

Sourced from github.com/opencontainers/image-spec's releases.

v1.1.1

Vote Passed [+5 -0 nv1] - https://groups.google.com/a/opencontainers.org/g/dev/c/T-olx0jdT18 Release PR : opencontainers/image-spec#1247 Full Changelog: opencontainers/image-spec@v1.1.0...v1.1.1

Commits

• 147f9c1 Release v1.1.1
• fbb4662 Merge pull request #1238 from mkenigs/wording-nit
• 81e457e Fix grammar nit
• 92353b0 Merge pull request #1225 from sudo-bmitch/pr-doc-go-version
• 1a0b9f9 Merge pull request #1230 from sudo-bmitch/pr-layout-extensibility
• f272635 Merge pull request #1228 from sudo-bmitch/pr-mixed-digest-algo
• e0462ab Merge pull request #1229 from tianon/setup-go
• cf536e3 Merge pull request #1227 from sudo-bmitch/pr-rm-project-doc
• 60acaac Document extensibility of the image layout
• 4dcf962 Document Go version policy
• Additional commits viewable in compare view

Updates github.com/operator-framework/api from 0.29.0 to 0.30.0

Release notes

Sourced from github.com/operator-framework/api's releases.

v0.30.0

What's Changed

• Bump k8s.io/apiextensions-apiserver from 0.32.0 to 0.32.1 by @​dependabot in operator-framework/api#394
• Bump sigs.k8s.io/controller-runtime from 0.19.4 to 0.20.0 by @​dependabot in operator-framework/api#396
• Bump sigs.k8s.io/controller-runtime from 0.20.0 to 0.20.1 by @​dependabot in operator-framework/api#400
• OCPBUGS#30001: Fix catalogsource typo for API docs by @​adellape in operator-framework/api#402
• 🌱 Bump k8s libs to v0.32.2 by @​perdasilva in operator-framework/api#404
• Bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 by @​dependabot in operator-framework/api#405
• Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @​dependabot in operator-framework/api#406
• 🌱 upgraded golang.org/x/oauth2 v0.23.0 => v0.27.0 by @​camilamacedo86 in operator-framework/api#408
• 🌱 Upgrade YQ version used from v4.28.1 to v4.45.1 by @​camilamacedo86 in operator-framework/api#412
• upgraded google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 => v0.0.0-20250303144028-a0af3efb3deb by @​camilamacedo86 in operator-framework/api#410
• 🌱 Upgrade controller-gen from v0.17.0 to v0.17.2 by @​camilamacedo86 in operator-framework/api#411

New Contributors

• @​adellape made their first contribution in operator-framework/api#402

Full Changelog: operator-framework/api@v0.29.0...v0.30.0

Commits

• 5d816f1 Upgrade controller-gen from v0.17.0 to v0.17.2 (#411)
• d75a9bd upgraded google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f639...
• 4107e57 Upgrade YQ version used from v4.28.1 to v4.45.1 (#412)
• f522173 upgraded golang.org/x/oauth2 v0.23.0 => v0.27.0 (#408)
• 49dc30a Bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 (#405)
• bc26bc0 Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#406)
• 93aa09f Bump k8s libs to v0.32.2 (#404)
• b4021ba OCPBUGS#30001: Fix catalogsource typo for API docs (#402)
• 1ed2691 Bump sigs.k8s.io/controller-runtime from 0.20.0 to 0.20.1 (#400)
• 0879cf0 Bump sigs.k8s.io/controller-runtime from 0.19.4 to 0.20.0 (#396)
• Additional commits viewable in compare view

Updates github.com/prometheus/client_golang from 1.21.0 to 1.21.1

Release notes

Sourced from github.com/prometheus/client_golang's releases.

v1.21.1 / 2025-03-04

This release addresses a performance regression introduced in #1661 -- thanks to all who reported this quickly: @​chlunde, @​dethi, @​aaronbee @​tsuna @​kakkoyun 💪🏽. This patch release also fixes the iOS build.

We will be hardening the release process even further (#1759, #1761) to prevent this in future, sorry for the inconvenience!

The high concurrency optimization is planned to be eventually reintroduced, however in a much safer manner, potentially in a separate API.

• [BUGFIX] prometheus: Revert of Inc, Add and Observe cumulative metric CAS optimizations (#1661), causing regressions on low concurrency cases #1757
• [BUGFIX] prometheus: Fix GOOS=ios build, broken due to process_collector_* wrong build tags. #1758

• Revert "exponential backoff for CAS operations on floats" and cut 1.21.1 by @​bwplotka in prometheus/client_golang#1757
• Fix ios build for 1.21.1 by @​bwplotka in prometheus/client_golang#1758

Full Changelog: prometheus/client_golang@v1.21.0...v1.21.1

Changelog

Sourced from github.com/prometheus/client_golang's changelog.

1.21.1 / 2025-03-04

• [BUGFIX] prometheus: Revert of Inc, Add and Observe cumulative metric CAS optimizations (#1661), causing regressions on low contention cases.
• [BUGFIX] prometheus: Fix GOOS=ios build, broken due to process_collector_* wrong build tags.

Commits

• 8a42da3 Fix ios build. (#1758)
• 40c62f7 Merge pull request #1757 from prometheus/revert-121cas
• 689f590 Cut 1.21.1
• 9e567a7 Revert "Add: exponential backoff for CAS operations on floats (#1661)"
• See full diff in compare view

Updates github.com/tektoncd/pipeline from 0.68.0 to 0.69.0

Release notes

Sourced from github.com/tektoncd/pipeline's releases.

Tekton Pipeline release v0.69.0 "Oriental Longhair Omnibot"

-Docs @ v0.69.0 -Examples @ v0.69.0

Installation one-liner

kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.69.0/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a83b80360985c8a19920792656acc1566def6a298da6b73bd47b42307bceab304

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a83b80360985c8a19920792656acc1566def6a298da6b73bd47b42307bceab304
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.69.0/release.yaml
REKOR_UUID=108e9186e8c5677a83b80360985c8a19920792656acc1566def6a298da6b73bd47b42307bceab304
Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.69.0@sha256:" + .digest.sha256')
Download the release file
curl "$RELEASE_FILE" > release.yaml
For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

• ✨ Add feature flag to set readOnlyRootFilesystem for containers (#8186)

New feature flag set-security-context-read-only-root-filesystem in ConfigMap feature-flags. The new feature sets readOnlyRootFilesystem in securityContext for taskrun and affinity assistant containers.

Fixes

• 🐛 fix: Move when condition to higher priority (#8569)

... (truncated)

Commits

• 5b082b1 build(deps): bump k8s.io/client-go from 0.31.4 to 0.31.6
• 192317d build(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
• 1d2ea8b build(deps): bump k8s.io/code-generator from 0.31.4 to 0.31.6
• e32aef2 build(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure
• 81f8bf7 build(deps): bump the all group in /tekton with 2 updates
• 17f79a9 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4
• c6449b7 build(deps): bump actions/cache from 4.2.1 to 4.2.2
• 339f421 build(deps): bump tj-actions/changed-files from 45.0.6 to 45.0.7
• 25a6227 add disable_spire build tag for entrypoint command
• 60cdce8 chore: add yaml linting to pre-commit
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.34.0 to 0.35.0

Commits

• 7292932 ssh: limit the size of the internal packet queue while waiting for KEX
• See full diff in compare view

Updates golang.org/x/oauth2 from 0.26.0 to 0.27.0

Commits

• 681b4d8 jws: split token into fixed number of parts
• 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
• 109dabf endpoints: add links/provider for Discord
• ac571fa oauth2: fix docs for Config.DeviceAuth
• 314ee5b endpoints: add patreon endpoint
• See full diff in compare view

Updates golang.org/x/text from 0.22.0 to 0.23.0

Commits

• 566b44f go.mod: update golang.org/x dependencies
• d5156da collate/build: do not use println in tests
• 221d88c x/text: fix scientific notation by removing extraneous spaces
• b18c107 internal/export/unicode: change C comment to mention unassigned code points
• 835f8ac language: use a more straightforward return value
• ae68efb internal/export/unicode: add CategoryAliases, Cn, and LC
• 518d9c0 all: upgrade go directive to at least 1.23.0 [generated]
• See full diff in compare view

Updates google.golang.org/api from 0.222.0 to 0.224.0

Release notes

Sourced from google.golang.org/api's releases.

v0.224.0

0.224.0 (2025-03-06)

Features

• all: Auto-regenerate discovery clients (#3038) (e50dbcf)
• all: Auto-regenerate discovery clients (#3040) (3acb9e0)
• all: Auto-regenerate discovery clients (#3041) (3795b39)
• all: Auto-regenerate discovery clients (#3042) (7d1e850)
• all: Auto-regenerate discovery clients (#3043) (eaeb698)
• all: Auto-regenerate discovery clients (#3048) (0f2af0f)
• all: Auto-regenerate discovery clients (#3051) (f10c130)

Bug Fixes

• transport/http: Add user agent to request headers (#3050) (10cb1ef), refs #3049

v0.223.0

0.223.0 (2025-02-25)

Features

• all: Auto-regenerate discovery clients (#3024) (ae09c4f)
• all: Auto-regenerate discovery clients (#3027) (7775233)
• all: Auto-regenerate discovery clients (#3031) (065695b)
• all: Auto-regenerate discovery clients (#3033) (9390c07)
• all: Auto-regenerate discovery clients (#3034) (a6fb5d5)
• all: Auto-regenerate discovery clients (#3036) (a606deb)
• all: Auto-regenerate discovery clients (#3037) (1532643)

Bug Fixes

• Copy AllowHardBoundTokens option from old auth to new auth. (#3030) (8cb69d6)

Changelog

Sourced from google.golang.org/api's changelog.

0.224.0 (2025-03-06)

Features

• all: Auto-regenerate discovery clients (#3038) (e50dbcf)
• all: Auto-regenerate discovery clients (#3040) (3acb9e0)
• all: Auto-regenerate discovery clients (#3041) (3795b39)
• all: Auto-regenerate discovery clients (#3042) (7d1e850)
• all: Auto-regenerate discovery clients (#3043) (eaeb698)
• all: Auto-regenerate discovery clients (#3048) (0f2af0f)
• all: Auto-regenerate discovery clients (#3051) (f10c130)

Bug Fixes

• transport/http: Add user agent to request headers (#3050) (10cb1ef), refs #3049

0.223.0 (2025-02-25)

Features

• all: Auto-regenerate discovery clients (#3024) (ae09c4f)
• all: Auto-regenerate discovery clients (#3027) (7775233)
• all: Auto-regenerate discovery clients (#3031) (065695b)
• all: Auto-regenerate discovery clients (#3033) (9390c07)
• all: Auto-regenerate discovery clients (#3034) (a6fb5d5)
• all: Auto-regenerate discovery clients (#3036) (a606deb)
• all: Auto-regenerate discovery clients (#3037) (1532643)

Bug Fixes

• Copy AllowHardBoundTokens option from old auth to new auth. (#3030) (8cb69d6)

Commits

• 92f5723 chore(main): release 0.224.0 (#3039)
• 78b9a2c chore: update background context to todo (#3046)
• f10c130 feat(all): auto-regenerate discovery clients (#3051)
• 10cb1ef fix(transport/http): Add user agent to request headers (#3050)
• 0f2af0f feat(all): auto-regenerate discovery clients (#3048)
• e878018 chore(all): update all (#3044)
• eaeb698 feat(all): auto-regenerate discovery clients (#3043)
• 7d1e850 feat(all): auto-regenerate discovery clients (#3042)
• 3795b39 feat(all): auto-regenerate discovery clients (#3041)
• 3acb9e0 feat(all): auto-regenerate discovery clients (#3040)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions